High-profile hack attack offers a lesson for other at-risk sites
It happened early last week: Twitter started buzzing; one of the world's largest news portals was offline, and a hacking group was claiming responsibility. The Syrian Electronic Army (SEA), a pro-Assad hacking group known for their previous campaigns against media organizations, altered the DNS records for the New York Times, Twitter, and the Huffington Post. The group also targeted ShareThis.com, a platform that enables readers to share links to content on a wide range of services, including social media, sites like Reddit, Slashdot, and more.
Twitter had the most issues to deal with, as its domain shortening service (t.co) well as its primary domain and image hosting service (twimg.com) all had their DNS records altered. The attack was possible due to a social engineering campaign launched by the SEA that targeted MelbourneIT, the registrar responsible for hosting the targeted DNS servers.
According to reports, including those from MelbourneIT themselves, the SEA spent some time on this campaign, and created a clever phishing email that eventually snared an unknown reseller's username and password, which granted them access to the domain controls needed to alter DNS settings.
While this attack was bad, things could have certainly been much worse, as other large brands also use MelbourneIT for their DNS. Among the other customers are Yahoo, Google, Microsoft, Adobe, IKEA, and AOL. Fortunately, the account that the SEA compromised didn't share access to those domains.
"Social-engineering and most specifically phishing is one of the largest attack surfaces we face in the security industry. Hacking through websites and breaching perimeters takes way to much time and usually not worth the effort. Sending a targeted email to a company almost guarantees you access to whatever you want and we aren't capable of handling these types of attacks right now," said Dave Kennedy, the creator of the Social Engineer Toolkit and the founder of TrustedSec, in an email to CSO.
Kennedy added, "My question to everyone right now is that if they are targeting resellers, outside parties, and people not always in the company, but control certain aspects of an organization, where does this leave our massive exposures in the cloud?"
Still at risk
In the wake of the Twitter and New York Times attacks, several major brands remain at risk. The risk comes from two angles; the first is exposure to social engineering. Should an attacker gain access to the DNS controls directly, then a situation such as the one that occurred this week could certainly happen again.
The other angle is the use of a registry lock. Since details have started to emerge about how the New York Times, Twitter, and the others were attacked—thanks to disclosures from MelbourneIT, one of the defenses being touted is the practice of applying a Registry Lock flag to critical domains.
Registry locks are usually applied by the registrar and are used to prevent unauthorized or unwanted changes to a domain. Once a domain name is flagged, then the lock will prevent DNS modifications, contact modifications, transfers, and deletion. Any changes requested will require additional methods of verification outside of a username and password.
Rapid7's Chief Research Officer, HD Moore, monitored many of the Web's top brands in the aftermath of the SEA attacks. In the hours following the attacks, a number of brands had registry locks placed on their domains. As expected, Twitter locked t.co and twimg.com, but they also added a lock to tweetdeck.com and vine.com. The Huffington Post, another victim of the SEA, also added a registry lock. Moreover, Patch.com, MapQuest.com, Starbucks.com, and TechCrunch.com also added registry locks.
Among those brands lacking registry lock protection are Adobe (Adobe.com and Acrobat.com) American Airlines, AOL, BB&T Bank, Australia and New Zealand Banking Group, Cisco, IBM, and 1&1 Internet (Mail.com), just to name a few. There are plenty of others, including major security firms (McAfee), media (Huston Chronicle, SF Gate), as well as service portals such a PR Newswire and Monster.com.
In an email sent to CSO, Moore said that although twitter.com did have a lock in place, at the time of the attack, many large-brand domains were hosted with MelbourneIT and were not locked.
"There is no evidence that the attackers made changes to these domains, but these were potentially vulnerable at the time the attack took place. In other words, things could have been much worse."
In a statement, MelbourneIT encouraged domain owners to use registry locks. While the protection offered isn't foolproof, it's another layer of defense.
"For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including.com... Some of the domain names targeted on the reseller account had these lock features active and were thus not affected."